the latest Forrester Wave Software Composition Analysis Q4 2024 report

However, not every vendor approaches solving this challenge the same way. The Forrester Wave Software Composition Analysis Q4 2024, which evaluates 10 SCA vendors against 25 criteria, helps developers, engineers, and application security professionals better understand the leading solutions on the market so they can identify a tool that best fits their priorities. 

According to the report, SCA customers should look for software that “assists developers in remediating vulnerabilities and keeping libraries current, provides visibility into software supply chain risk, and prevents software supply chain attacks.” 

We’re honored to be recognized as a Strong Performer in the Forrester Software Composition Analysis (SCA) Q4 2024 report. Our top scores in over seven key criteria underscore our mission to help teams move from reactive to proactive application security. 

Our approach to software composition analysis

At Mend.io, we’ve always believed that gaining visibility into your open source components and securing the risk that comes with them shouldn’t be a laborious, expensive hindrance to development. 

We designed Mend SCA to go beyond simple detection and shallow coverage. It provides rich prioritization context and guidance, automated remediation, and elastic scalability empowering our customers to proactively secure their open source components and software supply chain. 

We’re thrilled to see our top-scoring criteria reflect our ethos and approach to empowering security teams to shift from reactive to proactive security. We received the highest scores across the following criteria:

• Prioritization and reachability
• Remediation and automation
• Malicious package detection
• Language support
• AI component analysis
• Pricing flexibility and transparency

Let’s explore how our approach aligns with our top scores.

Go beyond simple detection and coverage

Mend SCA received the top scores in:

• Language support
• Malicious package detection
• AI component analysis

With a profusion of vulnerabilities to manage and a shrinking amount of resources, AppSec teams need their SCA tools to go beyond simply identifying vulnerabilities. Mend SCA makes this possible with extensive coverage across 200+ programming languages (for both security vulnerability and compliance/licensing analysis), 30+ package managers, and coverage for containers (Docker containers, Kubernetes, several registries), and Linux OS. 

When Mend SCA scans your code, it not only inventories and analyzes your direct and transitive dependencies for vulnerabilities but also surfaces essential risk context, including reachability, exploitability, malicious package insights, and license and compliance issues. This gives you the insight you need to understand the risk likelihood and impact and prioritize and remediate risks appropriately.

“Mend.io pioneered reachability”

Prioritize with context and automate remediation

Mend SCA received the top scores in:

• Prioritization and reachability 
• Remediation and automation

Developers, engineers, and AppSec teams must cut through the noise and understand, “What is a critical risk to me? What do I need to address right now? What is the best path to fix?”

Fusing risk-specific context (like application architecture, fix availability, open source health information such as library age, and CVSS 3 and CVSS 4 severity scores) with likelihood factors (like our best-in-class reachability analysis, malicious package detection, public exploit availability and maturity, EPSS scoring, production information such as whether an image is deployed to production), and impact factors (like customer defined labels or policies, compliance standards, SLAs), Mend SCA prioritizes your most critical risks and provides the best path to remediate. 

Unique to Mend SCA, each SCA finding includes the sink-to-source trace in code, package health data (like package age, adoption rate, data gathered on failure rates of builds between versions, and merge confidence ratings), risk reduction impact statistics, and the optimal upgrade path for your vulnerable package – the newest, most stable, least vulnerable library version that provides the most significant risk reduction.   

Automated workflows and auto-remediation options for newly discovered vulnerabilities make it easier than ever for our customers to remediate at scale, all without breaking the build.

“Autoremediation for newly discovered vulnerabilities is a strength.”

Scale without breaking the bank

Mend SCA received the top scores:

• Pricing, flexibility, and transparency
• Support services and offerings

The application security risk landscape is expanding and transforming at an insane rate. Add AI, ML, and LLMs into the mix, and it feels like we’ve unleashed Pandora’s box. While risk may expand exponentially… unfortunately, most budgets do not.

To remain secure and compliant, you need to be able to optimize and scale your AppSec programs with ease, including expanding and deepening security coverage. The Mend AppSec platform offers customers everything needed to build proactive application security through one solution at one price, meeting your evolving needs and budget constraints.

“Mend.io’s new pricing strategy is a strength: It offers one price for all products and services, including SCA, dependency updates, SAST, container security, and AI security, and it reflects the vision that customers need a holistic view of the application stack.”

Great things are on the horizon

The Forrester Wave states, “Mend.io is a great fit for enterprises that need an all-in-one solution for security, license, operational risk, and supporting services.” 

But we’re not done! As noted in the report, we’re in the midst of reshaping and transforming the Mend AppSec Platform so our customers have a unified, holistic view of their AppSec risk. 

A holistic approach allows findings to be correlated across the entire application attack surface. It enhances workflows and policies, integrates insights from additional tools, and ultimately enables our customers to proactively and significantly improve their AppSec posture.

Read the full Forrester Wave: Software Composition Analysis, Q4 2024 report to learn more about what to look for in a software composition analysis vendor and for additional information on Mend.io’s Strong Performer ranking.

As organizations increasingly use cloud-native services like containers and Kubernetes, they struggle to keep up with the high number of detected security issues. Together, Mend.io and Sysdig give organizations struggling with limited time and resources more effective ways to target the remediation of real risk. By providing insights into risk detected at runtime, security teams can prevent and defend with greater confidence.

The growing challenge of securing workloads

Gartner predicts that by 2025, 45% of large enterprises will have experienced attacks on their software supply chains. Threat actors are constantly looking for ways to introduce and exploit vulnerabilities to infiltrate a target organization’s network. As containers continue to grow in usage, they become an ideal delivery vehicle for malicious code. 

The volume of newly discovered vulnerabilities continues to increase every year. In fact, the total number of Common Vulnerabilities and Exposures (CVEs) is predicted to increase by 25% in 2024 from an already astoundingly high number (28,961 to be exact) of CVEs published in 2023. The never-ending flow of new vulnerabilities overwhelms developers and security teams alike, especially given that not every vulnerability found is of equal importance or even reachable. These teams need better ways to filter through the noise and achieve their ultimate goal of delivering software innovation, securely. 

Taming application security with Mend.io and Sysdig

Sysdig and Mend.io have come together to address the frustration of chasing endless software vulnerabilities. 

• Mend.io has over a decade of experience helping global organizations build world-class AppSec programs. Mend SCA identifies and prioritizes critical security vulnerabilities, providing actionable remediation suggestions and a full picture of your open-source libraries and dependencies. 
• Sysdig brings a deep understanding of what’s happening at runtime. As the creator of Falco open source, Sysdig is a pioneer in real-time visibility into abnormal behavior and potential security threats, and compliance violations with its comprehensive runtime security.

Through its vantage point at runtime, Sysdig profiles containers to pinpoint the software packages that are in use vs. those that are not. Armed with these insights, Mend enables developers to quickly target the remediation of vulnerabilities and real risk based on runtime exposure and severity. 

How it works: Mend.io and Sysdig integration

Mend Container, when integrated with Mend SCA and Sysdig Runtime Insights API, incorporates the runtime context of software packages into the Mend SCA product and container scanning results. By providing a view into runtime context, developers and security teams can confirm application deployment and behavior in production and set preferred remediation priorities and scoring. 

Mend SCA goes beyond CVSS scores to help teams calculate risk. By analyzing aspects such as reachability and exploitability – and now runtime usage – it allows you to move beyond theoretical risk to understand the risk in the context of your application specifically.

Additionally, Mend is able to provide ownership insights for applications that can be incorporated into the Sysdig platform to help security teams identify associated repos and application ownership for vulnerable packages. These insights enable automation and acceleration of the remediation process across teams.

Secure from code to cloud

With potential threats taking many forms across the software life cycle, both pre- and post-production, organizations need a way to protect applications from multiple forms of risk. Together Mend.io and Sysdig help users leverage both “Shift Left” and “Shield Right” security strategies. 

Alone, even the best “left-side” strategy is not enough, as it is impossible to guard against every unknown threat that may arise in production. Here, Sysdig’s runtime security plays a key role in detecting threats in real-time across your containers and cloud. “Shield Right” focuses on operational practices to prevent security incidents, as well as security monitoring and behavioral analysis to detect and respond to events when they occur. 

With Sysdig and Mend.io, security teams can both harden their security posture to prevent attacks before they happen and continuously monitor for active risk to keep cloud environments and applications safe.

Build a world-class security program with Mend.io and Sysdig

As organizations accelerate delivery of cloud applications, ensuring end-to-end security across the software supply chain and into production is key to success. We are confident that joint customers of Mend and Sysdig will be able to expedite responsiveness, streamline vulnerability remediation, and drive a highly efficient and automated security workflow. The AppSec expertise of Mend.io and cloud-native application protection from Sysdig empower developer and security teams to move faster and focus on innovation.

How important is a company name, really? Turns out that it is pretty important, especially if the name you currently have does not represent what the company has become, or where it is going. Our name is what defines the vision, spirit, and ethos of who we are and what we are trying to accomplish—the strategy, technology, and culture all rolled into one. It needs to be crisp, memorable, and legally acquirable. Guess what? It is harder than it looks…

We had a great creative agency shepherding and supporting us through the turns and twists we needed to make. Ultimately, the decision came down to a small team. Most importantly, company naming and re-branding is not a marketing initiative; it is very much a corporate one. In our case, our name represents the change in who the company has become; expanding our application security leadership from open source to all code with a mission focused on providing automation to take the burden off developers, while dramatically reducing the software attack surface. 

Formerly WhiteSource, Mend has grown dramatically since its start. A pioneer in software composition analysis (SCA), we began offering custom code security through static application security testing (SAST) in February, which today has enabled us to offer a more automated approach to application security. We protect organizations against vulnerabilities while reducing risk and increasing productivity for security and development teams.

Beginning the journey

A successful rebrand is a lot more than a new logo and a different color palette. It is about getting leadership and the company to rally around a singular mission and to focus the purpose and value we bring to customers, community, and our employees. It is the beginning of the journey, and ultimately, you can put together the ingredients but it is people and feelings attached to it that make a brand happen.

Why Mend

In the past two decades, most of application security has been set on detecting vulnerabilities and identifying problems, which is why in production we still see a lot of vulnerabilities appear. Developers are overwhelmed with the number of issues they have to address, with most requiring a lot of manual research to figure out what needs to be done to resolve them. 

This is where Mend comes in, with a goal of making application security more automated — focused on actually preventing, protecting, and fixing in the background to make it less of a developer burden. Our new look and name reflect this. 

It’s not just about the technology, however. Mend brings together developer and security teams who have historically struggled to reconcile at-odds job functions. We don’t just mend software, we also can mend the friction with the business requiring software engineering to deliver quality code on time with ever- increasing application security risks. Evolving WhiteSource to Mend reflects this. 

The logo itself is drawn in an abstract style. The logo can be seen as two hands coming together, signifying the joining of developers and security teams to enhance application security, as well as showing that Mend improves the way the two groups work together. It could also be viewed as a sewing stitch or even a zipper. We wanted to denote the concept of mending, portraying this with the look and feel. It represents a seamless process, the technology automatically underpinning the security challenges it addresses. The goal of the design is also to make it welcoming on a global scale, something people can understand and relate to no matter where they’re from. We wanted to stand out and be inviting, and the colors aqua, ocean, and navy capture this with a feel of freshness and innovation to resonate with security and engineering leaders.

Mending application security challenges with automation

We are here to disrupt the existing application security market by redefining how customers can secure their applications. Mend not only identifies vulnerabilities, we mend them using automation. The name Mend and the new look of our brand has evolved to match this approach and our focus to help enterprises deliver secure software, faster.

Discover more about Mend’s Application Security Platform here